Today, I learned how to pass sessions through URLs. so I want to test the link and write two pages with the following content: [index. php] {code ...} [2. php] {code ...} open index. php: click the link to jump to the page: My question is: Press...
Today, I learned how to pass sessions through URLs. so I want to experiment with the following two pages:
[Index. php]
";?> "> It's too late to get on the bus!
[2. php]
After opening index. php:
Click the link to jump to the page:
My question is: the session IDs of the two pages should be the same. why? I am a little white. please ask me to answer your questions...
Reply content:Today, I learned how to pass sessions through URLs. so I want to experiment with the following two pages:
[Index. php]
";?> "> It's too late to get on the bus!
[2. php]
After opening index. php:
Click the link to jump to the page:
My question is: the session IDs of the two pages should be the same. why? I am a little white. please ask me to answer your questions...
Why do I need to add a session to a URL?
1.This is insecure.Assume that you are the administrator. if I capture a packet in the Lan and then bring your session_id, I will be the administrator;
2. Currently, session_id is usually transmitted using cookies,As long as the cookie is HttpOnly, it is not afraid of XSS attacks.AndDo not use Apache2.2 on the server. a 400 bad request vulnerability can expose HttpOnly cookies.;
3. if the browser disables the cookie, it will not allow logon. it can be implemented using JavaScript.
SID is a constant that contains the session name and session ID. the format is"name=ID"
, And session_id () returns the same ID, but only on the clientSession cookie does not existOtherwise, the SID value isNull string.
If the client cookie is not disabled, jump from index. php to 1.php. the output SID should be a null string;
If the cookie is disabled and the Session ID in the cookie cannot be obtained from the client, a new Session will be generated, and different SID will be output every time you jump to 1.php;
Php. ini has been added since PHP 4.3.0.Use_only_cookiesSpecifies whether to use cookies to store Session IDs on the client .. Enabling this setting prevents attacks related to passing session IDs through URLs.Starting from PHP 5.3.0, the default value is 1 (enabled).
Transfer session ID
Predefined Constants
The topic base is not solid. First, the SID variable is not assigned a value. Second, the get parameter is not even attached with key =. finally, who told you that common variables can be transferred across pages? Unless it is a session or application that exceeds the global variable.
I would like to know where you learned the knowledge of session passing through URL. Reading the original article may give you a answer.